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Remarks 

I 
i 

Drawings Specification ; 

A substitute specification conforming the application text to US style and practice is 
submitted herewith. The substitute specification does not add new matter. j 

i 

On amended page 6 of the description the reference sign 27 denoting the buffer lhas been 
corrected. 

Regarding the other reference signs 22 - 25, 28 - 30, these signs are mentioned in the 
description of Fig. 2 and included in this figure. Thus, a correction of the drawings does not 
appear to be necessary. 

The abstract of the disclosure is amended to place all sentences into a single paragraph, 
i.e., to remove the line break between sentences 2 and 3. 

On page 2, the specification is amended to specify that the cited state of the art is a 
German patent application. 
Claim Objections 

The Examiner appears not to have seen our Preliminary Amendment, which avoided 
multiple dependencies in the claims. But his treatment of the dependencies appears applicable. 

i 

Claims 16 and 17 are amended to substitute "the system" for "the function". j 
Claim Rejections - 35 USC 102 (b) j 

Claims 1-4, 6-7, 9, 12-21 and 23 stand rejected as being anticipated by Eastvold et al. 

Valid rejection under 35 USC 1 02 requires that each feature of a rejected claim be 
disclosed in a single reference. 'Tor anticipation under 35 USC 102, the reference musjt teach 

i 

every aspect of the claimed invention either explicitly or impliedly. Any feature not diiectly 
taught must be inherently present." MPEP 706.02(a) I 
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Eastvold et al does not disclose each feature of the rejected claims. j 

| 

The network as shown in Fig. 1 of Eastvold et al. is not entirely ring-shaped. Aljthough 

i 

the DTU's are connected via a ring shaped serial connection, this does not hold for the system 

monitor 16 which is merely connected to master DTU 34. In contrast thereto, all devices as 

j 

defined in claim 1 are part of the ring shaped network . j 

j 

Furthermore, Eastvold et al. fails to teach that temporarily stored data are monitpred by a 

i 

i 

checking logic of a peripheral safety-related unit in such a manner that, in the case of a jfault, a 
safe state of the output unit (10) for the control process is initiated. Suppressing data cinnot be 
compared to an initiation of a safe state. The latter necessarily implies a change of the state of the 



safety related unit. If, on the other hand, data destined for one of the DTUs are merely 
suppressed, as taught in Eastvold et al., the state of the respective DTU does not change at all . 



Moreover, claim 1 defines a control unit and a peripheral monitoring unit. As the 
monitoring unit is definitely peripheral, both units are distinct devices and cannot be compared 
with a combination of master DTU 34 and system monitor box 16 as disclosed in Eastvold et al. 

As well, there is no hint for a person skilled in the art to modify the system as disclosed in 
Eastvold et al. so as to derive a system according to claim 1, which comprises means for 
initiating a safe state of the output unit for the control process in the case of a fault. 
Claim Rejections - 25 USC 103 fa) 

Claims 5 and 22 stand rejected as being unpatentable over Eastvold et al in view of 
Dawson. ; 

Claims 8, 10-1 1 and 24 stand rejected as being unpatentable over Eastvold et al jin view 
ofCawley. 

MPEP 2 142 sets forth "The Legal Concept of Prima Facie Obviousness." j 
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To establish a prima facie case of obviousness under 35 USC 103(a) the initial burden is 

on the Examiner to provide some suggestion of the desirability of doing what the inventor has 

j 

done. "To support the conclusion that the claimed invention is directed to obvious subject 

i 

matter, either the references must expressly or impliedly suggest the claimed invention ior the 

| 

Examiner must present a convincing line of reasoning as to why the artisan would have found the 
claimed invention to have been obvious in light of the teachings of the references." ! 

MPEP 2143 sets forth basic requirements of a Prima Facie case of obviousness. 

i 

"To establish a prima facie case of obviousness, three basic criteria must be met. First, 
there must be some suggestion or motivation, either in the references themselves or in the 
knowledge generally available to one of ordinary skill in the art, to modify the reference or to 

combine reference teachings. Second, there must be a reasonable expectation of success. 

i 

Finally, the prior art reference (or references when combined) must teach or suggest alljthe claim 
limitations. 

I 

The teaching or suggestion to make the claimed combination and the reasonable 

! 

expectation of success must both be found in the prior art, not in applicant's disclosure J In re 
Vaeck, 947 F.2d 488. 20 USPQ2d 1438 (Fed. Cir. 1991)." j 

The cited references do not motivate or suggest to a skilled artisan to combine these 

i 

references to produce applicant's invention as claimed. j 

j 

Dawson does not teach redundant input channels as defined in claim 22. Acconjing to the 

circuit diagram as depicted in Fig. 10 of Dawson, two units 330, 340 read data from injjut lines 

I 

212, 312. However, claim 22 defines that the device comprises two bus units (22, 23), to forward 
the output data of a bus unit (22) also to the input section of the other bus unit (23) in order to be 
able to fetch information from the control process via redundant input channels (24, 25) and in 

i 
i 
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order to provide the output data of a peripheral monitoring unit (4) for read-back. However, the 
output lines 3 10, 3 1 5 of the units 330, 340 are only connected with comparator 320. 
Undoubtedly, therefore, none of the output lines 310, 315 of the units 330, 340 is connected to 
the input of the other unit. 

As Dawson does not teach this feature of two bus units connected so as to forward output 

data of one unit to the input of another unit, the subject matter of claim 22 therefore carinot be 

I 

rendered obvious over a combination of Eastvold et al. and Dawson. j 

As dependent claims 2 - 21, 23 and 24 incorporate all features of claims 1 and claim 22, 

I 

respectively, the subject matter of these claims is new and inventive, too. ! 

! 

Moreover, claim 3 defines that the data which axe temporarily stored in the peripheral 
safety-related unit are read back by a bus unit of the peripheral safety-related unit. However, 

Eastvold et al. does not disclose a similar feature. Particularly, the passages of Eastvold er al. 

i 

cited in the Office Action with respect to claim 3 merely disclose that data are subsequently sent 

i 

from one DTU to the next DTU within the network. This, however, does not mean that Sata 
which are stored in a bus unit are read back by the same unit, as would follow from a system 
according to claim 3. 

As well, claim 4 defines an assembly similar to claim 3. Although the DTUs as disclosed 
in Eastvold et al may have a buffer, it is not disclosed therein that the content of the buffer is 
read back by the bus unit 23 whereby both the buffer and the bus unit 23 are component of the 
peripheral safety-related unit. The passages of Eastvold et al. cited in the Office Action merely 
disclose that a CRC is performed with data received from another DTU. 

Further, col. 1 1, lines 45-63 of Eastvold et al. neither discloses nor implies that data of an 
SPC are overwritten by a peripheral monitoring unit. This passage merely discloses that ! 
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performance and history information is stored in a system monitor database. 

Regarding claim 8, Cawley merely teaches to insert a "BadPacket" indicator at the end of 

the packet. Consequently, Cawley just teaches to add data to existing data rather than j 

! 

manipulating the existing data. However, adding a flag which identifies a packet to coniain bad 
data is different from manipulating the data, e.g., so as to correct the package content, j 

i 
| 

It is further submitted that a system according to claim 10 cannot be derived froijn a 

i 

combination of the teachings of Eastvold et al. and Cawley. Regarding the overwriting <j>f faulty 

i 

data, Cawley just describes the opposit of what is defined in claim 10. Cawley teaches (jsee col. 
9, lines 4-21) that a data packet transmitted by a router is not allowed to be overwritten^ if the 
receiving router detects a CRC-fauIt. Data in the FIFO ring buffer are only overwritten if the data 

i 

package has arrived at the receiving router without CRC faults. If data have been transnjitted 
correctly, i.e. after agreement, then the data in the FIFO of the transmitting router are I 
overwritten. In contrast thereto, claim 10 defines that data are overwritten to prevent agreement 
Moreover, it is not disclosed in Eastvold et al. that the peripheral safety-related u|nit only 

! 
J 

becomes active if it has received an agreement for the data of the output unit via the checking 

i 

unit as defined in claim 12. Eastvold et al., specifically col. 15, lines 35 - 39 merely discloses 
that packages with valid CRC and "Broadcast" data packets are accepted, whereas otherjpackets 
are dropped. In contrast to the opinion expressed in the Office Action, it is not disclosedithat the 

i 
t 

dropping prevents further processing. j 

I 

As well, we are unable to share the view expressed with respect to claim 14. Theipassage 
which is cited as relevant for the subject matter of claim 14 (col. 6, lines 1-2) refers to thje DTUs 
12 but not to master DTU 34. Furthermore, it is not disclosed that any of the DTUs performs 
control functions like the system monitor box 16. 

! 
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Furthermore, we cannot agree with the view expressed with respect to claim 19 j Again, 
with reference to the discussion of claim 1, the control unit and peripheral monitoring uinit cannot 
be compared with a combination of the system monitor box 16 and master DTU 34 according to 
Eastvold et al. 

Regarding claim 21, the same arguments as put forward with respect to the featijre of 

i 

initiating a safe state according to claim 1 are valid. Dropping data packets does not change the 
state of a DTU 1 2 or 34 at all. 

j 

Wherefore further consideration and allowance of the application as amended is! 
respectfully requested. j 

A two-month extension of time in which to respond to the outstanding Office Action is 

hereby requested. PTO-2038 is enclosed authorizing credit card payment in the amount! of $450 

j 

is enclosed for the prescribed Large Entity two-month extension fee. j 

Respectfully submitted, j 



M. Robert Kestenbaum 
Reg. No. 20,430 
11011 Bermuda Dunes NE 
Albuquerque, NM USA 871 1 1 
Telephone (505) 323-0771 
Facsimile (505) 323-0865 



I hereby certify this correspondence is being submitted to Commissioner for Patents, 
Washington, D.C. 20231 by facsimile transmission on May 12, 2005. fax number (571) 273- 
3657. 1 



M. Robert Kestenbaum 
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i 

Substitute Specification | 

Circuit Arrangement for Protected Data Transmission, Particularly in Ring-Shaped Bu$ Systems 

I 

i 

Cross-Reference to Related Aoplications - Not Applicable 

i 

Statement Regarding Federally Spon sored Research & Development - Not Applicable. 

Backeround of the Invention j 

i 

Field of the Invention j 

j 

De s cription j 

i 

[0001] The invention relates to a circuit arrangement for protected data transmission, particularly 

i 

in ring-shaped bus systems. ! 

i 

i 

Description of Relevant Art 

[0002] In machine and plant construction today, movements and processes are not infrequently 
controlled which represent a danger to the life and health of persons, particularly the 
operating personnel, in the case of a fault or if they fail. Apart from these dangers, however, 
valuable machine parts must also be protected which can suffer great financial damage in the 
case of possible malfunctions. 

[0003] Any faults which may occur must, therefore, be recognized by the process or the jexisting 

i 

control facilities and the machine should always be driven in a state which can be considered 

i 

safe. As a rule, redundant structures are necessary for this which monitor the safety functions 
independently of the actual control In machine or plant construction, detection of a sjingle 
error is frequently sufficient for fault detection. After this fault has been detected, th J control 
process can then be interrupted and stay in a safe state. This prevents any damage by ifaulty 
continuation of the process. 

j 

[0004] The methods for fault detection and the measures necessary for these are stated in 1 
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i 

I 

international standards DIN V VDE 0801 and DIN ISO 61508. By means of the principles 
given in these standards, the manufacturers of automation equipment have developed in 

recent years different strategies which allow safe transmissions on bus systems, seejfor 

i 

i 

example, the "profibus with F-Profil, PNO and safety-bus P by Pilz and Sick. I 
[0005] In addition, control systems will reach the market which already have internally j 

redundant structures and thus, in interplay with said safe bus systems, allow fault detection; 

1 

see, for example, the bus systems from Siemens, particularly the equipment series S|7 400 F, 
or the PSS 3000 series by Pilz. 

j 

[00061 However, the methods implemented there can only be used with completely newj 

installation of the necessary components and protect only inadequately against systematic 

i 

faults. 

i 

Brief Summary of the Invention 
[0007] Instead, the invention has the object of detecting faults in a process which is onty built up 

with standard units. j 

I 

[0008] In addition, it should preferably be not only any faults occurring in the transport of data 
via a bus system used, but also disturbances or programming errors in the control device 
which are detected and eliminated. 

j 

[0009] The circuit arrangement thus represents an implementation of a method which hals already 
been filed under the post-published German p atent application no. 198 57 683.8, the Ifull 
extent of the content of which is also made the subject matter of the present patent j 
application by reference. j 

i 

[0010] The method is particularly suitable for all ring-shaped bus systems, the technologjy 

i 

described being optimally adapted for the interbus standard. In this case, a requirement 
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1 
! 

i 

profile was already worked out at the beginning of 1999 and then published, IEE journal, 

April 1 999, Karsten Meyer-Grafe: "Interbus goes Safety". | 

i 

Brief Description of the Drawings I 

i 

i 

[0011] In the text which follows, the invention is described in more detail, referring to preferred 
embodiments and the attached drawings, in which: 

! 

[001 2J Fig. 1 shows the configuration for a first embodiment of a system for protected 'data 
transmission, 

[0013] Fig. 2 shows the internal configuration of the peripheral safety-related unit of the system 

I 

for protected data transmission. ! 

j 

Detailed Description of the Invention I 
[0014] In the text which follows, the invention will be described in greater detail, initially by 

referring to Fig. 1 . Fig. 1 shows a suitable configuration for such a system. ! 

\ \ 

[0015] The control unit (1) handles all control functions in the process as is known, for Example, 

i 

from the conventional interbus system. The control unit (1) also detects possible fauljts and 
can interrupt processes or bring them to a safe state. j 

[0016] In the case of its own failure or in the case of faulty data transport, however, the Control 

j 

unit (1) is conventionally not able to produce the desired safe state. This failure also Recurs, 
for example, if there is extensive separation between process control and safety control in the 
control system. Since there is conventionally no redundancy here, either, an undetected fault 
may have grave consequences. 
[0017] According to the invention, other components are added which detect and eliminate a 
possible fault. These units are: a peripheral monitoring unit (4) and one or more peripheral 
safety-related units (9) in the process, which are only necessary where safety-related (lata are 

i 
i 
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received or transmitted. 

[0018] The control unit (1) contains a data map register (2) which sends all output data land other 

i 

checking signals via the data line (13) to the peripheral units (7, 8, 12, peripheral safety- 

I 

related unit 9 and peripheral monitoring unit 4). 

[0019] Since the bus transport works in a similar way to a shift register, all peripheral units send 
their input data to the control unit in the same bus cycle via the return line (14) and tlhese data 
are available in the data map register (3). In a subsequent SPC (stored-program control) 
cycle, the SPC then processes the data from its two map registers (2, 3) and thus generates the 
necessary state for the process. 

[0020] Without the peripheral monitoring unit (4) and the peripheral safety-related unit £9), 

however, the SPC is not capable of controlling a programming error, a state due to I 

I 

disturbance or failure or a data error due to the wrong bus transport. The peripheral j 
monitoring unit (4), therefore, contains its own microprocessor which monitors the 
transmitted data of the SPC and only examines the safety-related quantities for 
appropriateness, particularly their correctness. 
[0021] Thus, the peripheral monitoring unit (4) with the transfer unit (5) is capable of monitoring 

the SPC. However, the peripheral monitoring unit (4) can also additionally read the data of 

j 

the inputs of the peripheral units via the transfer unit (6) installed in the return path. Since the 
peripheral safety-related unit (9) also forwards its output information (D3) directly to the 
input section of the bus unit (23), it is possible to check directly whether the bus transfer has 

i 

; 

worked correctly. j 

[00221 Furthermore, the peripheral monitoring unit (4) with its transfer unit (5) is also capable of 

j 

manipulating the data for the peripheral safety-related unit (9). In particular, the peripheral 
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monitoring unit (4) can overwrite data of the SPC and thus prevent agreement with the data 

i 

output from the peripheral safety-related unit (9). The peripheral safety-related unit (9) 
becomes active only if it has received an agreement for the data of the output unit (110) via the 

checking unit (11). j 

i 

i 

[0023] The timing with the data transport is shown in the following table: 
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f00241 The timing diagram shows the state after each shift information in the ring by means of a 

i 

i 
| 

! 

i 
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preferred example, the Interbus system by Phoenix Contact GmbH and Co. KG. 
[0025] The information AC3 can be manipulated by the peripheral monitoring unit (4) With the 
transfer unit (5) and can be overwritten. The peripheral safety-related unit (9) thus receives in 

I 
t 

its checking logic (1 1) an additional information item which prevents a faulty output 
[0026] As can also be seen from the timing diagram, the peripheral monitoring unit (4) lean also 

i 

read the data of the output from the peripheral safety-related unit (9) (EC3). These dkta 
represent the direct output information of the peripheral safety-related unit (9) so tha*t a bus 

i 

! 

error is reliably detected. j 

! 

[0027] The internal configuration of the peripheral safety-related unit (9) is shown in figure 2. 
[0028] The peripheral safety-related unit (9) consists of two bus units (22, 23) so that input 
information can be fetched redundantly (24, 25). In addition, the output information Dn from 

i 

a bus unit (22) is mapped via the input section of the other bus unit (23). A possible [rrror in 
the internal storage or during the bus transport is thus detected in the subsequent cycle of the 

i 

! - 

bus transport. The output information Dn is written into the buffer [[(7)]] £27) by the; control 
unit (SPC). 

[0029] However, the checking logic (1 1) additionally decides whether the information df the 
buffer [[(7)]] (27) appears at the peripheral unit via the output logic (28). This checking logic 
(1 1) can either release the stored information via the line (30) or delete the state via the line 
(3 1) so that the output (29) brings the control process into a safe state. j 

10030] In principle, however, the circuit arrangement operates in many areas just like a Aormal 

decentralized SPC system. The components merely additionally allow inputs to be j 

I 

redundantly monitored and stored output information to be examined for appropriateness, 
particularly freedom from faults before it is output. Furthermore, the monitoring unit lean also 

i 

! 
I 

i 
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detect faults which have not only been produced by failure or disturbance but were daused by 
an error in programming or parameterizing. 

j 

[0031] The present circuit arrangement thus allows data which are necessary for configuring 
fault-tolerant structures to be transmitted on standard ring-shaped bus systems. 

[0032] To implement the invention, a monitoring unit and peripheral input and output units 
transmitting or receiving data for control purposes are used. | 

[0033] The circuit arrangement handles the task of detecting any faults which can become a 

i 
f 

danger for the control process, particularly for the transmission of control, sensor or ^ictuator 

i 
i 

data, within a machine or plant. Due to its internal configuration, the circuit arrangement 
identifies a possible error even before the error is transmitted to the control process dnd 



initiates a protected switch-off In this arrangement, it is of no importance whether it 
external control unit or the bus system used which is responsible for the error. 



is the 
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Abstract (Amended) 

The present circuit arrangement allows data, which are necessary for building upl fault- 
tolerant structures, to be transmitted on standard ring-shaped bus systems. Its implementation 
requires a monitoring unit and input and output units which transmit or receive data for fcontrol. 
The circuit arrangement handles the task of detecting any faults which can become a dagger for 
the process within a machine or plant. Due to its internal configuration, the circuit arrangement 
identifies any fault even before the detection of the fault and initiates a protected switch {off. In 

i 

this arrangement, it is of no importance whether it is the external control unit or the bus system 
used which is responsible for the fault. 
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